Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ASA 5510 Policy map

Hello all,

I have 2 proxy servers allowed to do www through the firewall , but I want to make a policy which would restrict the tcp connections and teh embrionic connections.

Does anyone know what would be the best practices for this.

I mean I am not sure how many I should allow and what should teh time-out intervals be!




Re: ASA 5510 Policy map

To configure a timeout for TCP embryonic connections (connections that result from an incomplete three-way handshake) and half-closed connections (connections where the client has sent a FIN and the server has not responded), use the set tcp timeout command. Use the no form of this command to reset TCP timeout values to their default settings.

set tcp timeout {embryonic seconds | half-closed seconds}

no set tcp timeout {embryonic | half-closed}


To set the TCP timeout for embryonic connections to 24 seconds, enter:

host1/Admin(config-parammap-conn)# set tcp timeout embryonic 24

To reset the TCP half-closed connection timeout to the default of 600 seconds, enter:

host1/Admin(config-parammap-conn)# no set tcp timeout half-closed

You can limit TCP and UDP connections and embryonic connections. Limiting the number of connections and embryonic connections protects you from a DoS attack. The security appliance uses the embryonic limit to trigger TCP Intercept, which protects inside systems from a DoS attack perpetrated by flooding an interface with TCP SYN packets. An embryonic connection is a connection request that has not finished the necessary handshake between source and destination.

TCP normalization is a feature consisting of advanced TCP connection settings designed to drop packets that do not appear normal.